Configuring OpenLDAP as an IdP to connect with SimpleSAML
This guide was written using Debian based ( e.g. Ubuntu ) operating system. In other distributions just change the "apt-get" to their respective package manager tool. This example use a public LDAP server that you can use in order to test.
Change the example domain idp-ldap.federation.ga to your domain.
- Apache 2
- PHP 5
- SimpleSAML >= 1.12
- LDAP Server
Instructions:
- Install SimpleSAML follow the Installing SimpleSAML guide.
- Open the config/authsources.php uncomment the 'example-ldap' example (delete the /* before and the */ after) and change the values to your LDAP server values:
- $ nano config/authsources.php
// Example of a LDAP authentication source.
'example-ldap' => array(
'ldap:LDAP',
// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
'remember.username.enabled' => FALSE,
'remember.username.checked' => FALSE,
// The hostname of the LDAP server.
'hostname' => 'idp-ldap.federation.ga',
// Whether SSL/TLS should be used when contacting the LDAP server.
'enable_tls' => FALSE,
// Whether debug output from the LDAP library should be enabled.
// Default is FALSE.
'debug' => TRUE,
// The timeout for accessing the LDAP server, in seconds.
// The default is 0, which means no timeout.
'timeout' => 0,
// Set whether to follow referrals. AD Controllers may require FALSE to function.
'referrals' => FALSE,
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case
// all attributes are fetched.
'attributes' => NULL,
// The pattern which should be used to create the users DN given the username.
// %username% in this pattern will be replaced with the users username.
//
// This option is not used if the search.enable option is set to TRUE.
'dnpattern' => 'uid=%username%,dc=idp-ldap,dc=federation,dc=ga',
// As an alternative to specifying a pattern for the users DN, it is possible to
// search for the username in a set of attributes. This is enabled by this option.
'search.enable' => TRUE,
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is searched, or an
// array of strings, in which case they will be searched in the order given.
'search.base' => 'dc=idp-ldap,dc=federation,dc=ga',
// The attribute(s) the username should match against.
//
// This is an array with one or more attribute names. Any of the attributes in
// the array may match the value the username.
'search.attributes' => array('uid', 'mail'),
// The username & password the simpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => 'cn=admin,dc=idp,dc=federation,dc=ga',
'search.password' => 'egdpassword',
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => TRUE,
// The DN & password the simpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => 'cn=admin,dc=idp,dc=federation,dc=ga',
'priv.password' => 'egdpassword',
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => TRUE,
// The DN & password the simpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => 'cn=admin,dc=idp,dc=federation,dc=ga',
'priv.password' => 'egdpassword',
),
- Edit the /var/www/metadata/saml20-idp-hosted.php and change the following line:
- $ nano metadata/saml20-idp-hosted.php
- 'auth' => 'example-ldap',
- Edit the /var/www/metadata/saml20-sp-remote.php and change the domian name
- $ nano metadata/saml20-sp-remote.php
$metadata['google.com'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/appsedudemo.com/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);
- Open Google Apps admin panel and change the SSO parameters on Security > Advanced Options > SSO
- Sign-in page URL: http://idp-ldap.federation.ga/simplesaml/saml2/idp/SSOService.php
- Sign-out page URL: http://idp-ldap.federation.ga/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php
- Change password URL: http://idp-ldap.federation.ga
- Upload the generated
- server.crt file generated on the previous steps.